Re: Wierd Packets, ICMP Dest Unreachable

[Matt Scarborough <vexversa () usa net>]

On Thu, 14 Jun 2001 16:02:52 -0600, Phil Wood wrote:

> On Thu, Jun 14, 2001 at 03:09:33PM -0400, Matt Scarborough wrote:
> > Phil,
> >
> > It really is not a problem per se. I think it would only be a problem if
>
> The problem to me is, that snort code in log.c does not know where the
> packet ends and decodes trash and prints the results as real stuff.

I agree. This becomes a problem for those post-processing Snort output.
Looking at DoS backscatter comes to mind.

Here are two packets. Snort captured them based on the
following two rules.

alert tcp $HOME_NET 1159 -> 207.71.92.193 80 (msg:"Packet the Router
Rejected";
flags: R; logto: "RESET.LOG";)

log icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Dest Unreach
(Code 13 Administratively Prohibited)";
itype: 3; icode: 13; logto: "IB_UNREACHABLE.LOG";)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Packet the Router Rejected [**]
06/02-19:32:27.842493 63.11.38.118:1159 -> 207.71.92.193:80
TCP TTL:64 TOS:0x0 ID:24205 IpLen:20 DgmLen:40
*****R** Seq: 0xA65FB7  Ack: 0xC9FED72  Win: 0x0  TcpLen: 20
0x0000: 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00   SRC..DEST....E.
0x0010: 00 28 5E 8D 00 00 40 06 8A B9 3F 0B 26 76 CF 47  .(^...@...?.&v.G
0x0020: 5C C1 04 87 00 50 00 A6 5F B7 0C 9F ED 72 50 04  \....P.._....rP.
0x0030: 00 00 BF 10 00 00                                ......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ICMP Dest Unreach (Code 13 Administratively Prohibited) [**]
06/02-19:32:28.676456 129.250.46.49 -> 63.11.38.118
ICMP TTL:239 TOS:0x0 ID:7979 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
63.11.38.118:1159 -> 207.71.92.193:80
TCP TTL:44 TOS:0x0 ID:24205 IpLen:20 DgmLen:40
**U*P*S* Seq: 0xA65FB7  Ack: 0x5B335F27  Win: 0x5441  TcpLen: 20  UrgPtr:
0x4F5F
** END OF DUMP
0x0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00  DEST.. SRC....E.
0x0010: 00 38 1F 2B 00 00 EF 01 96 ED 81 FA 2E 31 3F 0B  .8.+.........1?.
0x0020: 26 76 03 0D 97 BE 00 00 00 00 45 00 00 28 5E 8D  &v........E..(^.
0x0030: 00 00 2C 06 9E B9 3F 0B 26 76 CF 47 5C C1 04 87  ..,...?.&v.G\...
0x0040: 00 50 00 A6 5F B7                                .P.._.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

ICMP Type 3 should return the 20 byte IP header + 64 bits of data. Lets look
at all the bytes from the outbound packet that *could* have been returned.

Top row in the pair is what was sent. Bottom row is the bytes that actually
were returned. Beneath that is a description of the byte's representation.

4500   0028  5e8d  0000    4006     8ab9  3f0b 2676
4500   0028  5e8d  0000    2c06     9eb9  3f0b 2676
verhl  len    id   frg   ttl proto  cksm   src adr 

cf47 5cc1  0487   0050   00a6 5fb7 0c9f ed72  50   04   0000  bf10
cf47 5cc1  0487   0050   00a6 5fb7 |- ICMP pkt doesn't have this -|
dst adr   srcprt dstprt   seq.num   ack.num   hl  flags  win  cksm

The bits needed to correctly identify the RST flag didn't return from the
router. Snort filled the alert fields with superfluous data (**U*P*S*.)

Matt Scarborough 2001-06-15

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users